Exploiting Out Of Band XXE using internal network and php wrappers
Hello hackers, A couple of weeks ago I tweeted about exploiting an out of band XXE vulnerability with a firewall blocking all outgoing requests including DNS lookups, so here is the full story: This is a private bug bounty program so I won't be mentioning who the vendor is. As usual during a hacking night while navigating the target application I came across an endpoint that took a parameter called xml but its value was encrypted. Later I found out that XML data sent to the backend is encrypted in the client side before sent in HTTP requests which means that XML data might not be properly validated in the backend, so I wanted to modify it to be able to inject my own XXE payload. So what I first tried was to find the JavaScript function used to encrypt the XML and do the same for my custom XML payload, however, the application's JavaScript was minimized with WebPack which made it very hard to read and trace functions. To avoid the hassle of finding the JavaScript encrypting